Versions Compared

Old Version 4

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 5

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Requested Attributes in Metadata

The SP administrator adds requested attributes to metadata along with other user interface elements. Requested attributes are presented to the user on the consent page at the IdP.

Technical Details

The SAML V2.0 Metadata specification (one of the SAML V2.0 family of specifications) supports zero or more <md:AttributeConsumingService> elements each containing one or more <md:RequestedAttribute> elements in SP metadata. These static elements are used to communicate SP attribute requirements to IdPs.

...

Code Block
xml
xml
<!-- Requested Attributes for InCommon SPs -->
<md:AttributeConsumingService index="1"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  <md:ServiceName xml:lang="en">...</md:ServiceName>
  <md:ServiceDescription xml:lang="en">...</md:ServiceDescription>
  <!-- SAML V1.1 attribute syntax -->
  <md:RequestedAttribute
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
      FriendlyName="eduPersonPrincipalName"/>
  <md:RequestedAttribute
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:mace:dir:attribute-def:displayName"
      FriendlyName="displayName"/>
  <!-- SAML V2.0 attribute syntax -->
  <md:RequestedAttribute
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
      FriendlyName="eduPersonPrincipalName"/>
  <md:RequestedAttribute
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:oid:2.16.840.1.113730.3.1.241"
      FriendlyName="displayName"/>
</md:AttributeConsumingService>

Note that two <md:RequestedAttribute> elements are inserted into metadata for every attribute selected from the interface. One of those attributes is a SAML1 attribute while the other is a SAML2 attribute. The IdP will automatically choose one or the other depending on the protocol used.

Note
titleThe isRequired XML Attribute

The astute reader will notice that the (optional) isRequired XML attribute is omitted on the <md:RequestedAttribute> elements in the example. Indeed, InCommon metadata does not support the isRequired attribute since there is no IdP software that supports this feature in SP metadata.

The <md:ServiceName> and <md:ServiceDescription> child elements of the <md:AttributeConsumingService element correspond to the <mdui:DisplayName> and <mdui:Description> child elements of the <mdui:UIInfo> element, respectively. The administrator enters a single pair of values that the software synchronizes across both pairs of elements. See the User Interface Elements topic for more detail about the <mdui:UIInfo> element.